Accounting Mayhem Hack

Accounting Mayhem Hack… 

At this past weeks Black Hat Abu Dhabi conference a pair of researchers presented proof-of-concept code that could change the dynamics of financially motivated cyber attacks. The attack, dubbed Project Mayhem, could enable an attacker to divert funds from a company’s accounting and financial systems without immediate detection.

The attackers using this hack, could relying on the fact that many mid-sized companies do not have complete control or visibility into financial processes.  Often, these same companies have rather lax auditing procedures in place, so they may miss less that obvious fraud in a timely manner, if at all.

Tom Eston and Brett Kimmel of SecureState focused on Microsoft Dynamics Great Plains software, in particular targeting the Dynamics’ SQL database, SQL server, using an account hijacking technique using a an vi what is called a "process injection hack".

Microsoft Dynamics is used primarily by mid-sized companies.

If an attacker can control and manipulate the accounting system of the company it is possible to commit mass systems fraud, by changing or manipulating financial data.  The key to the attack is to stealthily modify entries in the accounting system to commit fraud, i.e., transfer funds to an outside account.

Eston and Kimmel began by doing some reconnaissance online to learn the names and structures of the Dynamics GP software’s database tables, as well as other pertinent identifiers in the tables. Knowing this helps an attacker target a particular segment of the database.

A attacker could also hijack accounts by targeting Dynamics users, again by doing online reconnaissance of social networks or searches in LinkedIn profiles, and then crafting a spear phishing attack that would convince the target to either visit a site hosting the Project Mayhem malware, or open an attachment infected with the code. The malware is then used to pivot internally to  specifically target Dynamics processes.

The proof-of-concept code, developed by SecureState researcher Spencer McIntyre, uses function hooking and library injection to exploit the application’s front end.

The goal is for the malware to open a channel back to a malicious attacker and allow them to issue commands specific to Dynamics through the Dynamics GUI front end.   The proof of concept code needs to be injected at run time, however,  well known patching techniques could be employed to have the necessary components loaded automatically at run time.

The malware hooks in to key locations, the paper said, and intercepts function calls, in particular those to the ODBC32 library; the malware creates function calls that interact with the database, a valid copy of legitimate handles that can inject malicious SQL commands as a legitimate user. Using a backdoor to the attacker’s server, SQL commands can be issued without detection and without the need for a password.

Once inside and manipulating the system, an attacker could do such things as manipulating existing vendor records forcing the system to remit manual or electronic payments to the attacker or a mule, rather than a legitimate  vendor.  This might involve any or all of creating new vendor entries, new manual check entries, increasing customer credit limits, modifying accounting records, creating negative customer balances that force automated refunds, or to simply steal credit card data, customer data or private financial records.

Such an attack against a financial system puts money and customer records at risk, but also puts doubt on compliance requirements, company reputation and can adversely affect customer relationships.

Even with proper bank reconciliation, funds can be diverted without immediate detection. Fraud attacks of this type could last for months or years. Uncovering a  fraud depends on the skills and resources available and whether audits are performed or not.

Some things that you can do to prevent the above kind of attacks are:

  1. Core operating system security – This would include appropriate user security levels, strong, regularly changed passwords, and proper staff training. – The main thing here is to keep the hackers out in the first place.

  2. Have strong Anti-virus and Anti-malware systems in place that are regularly updated.  -The idea here is that if Viruses or Malware get on the system but immediately detecting and quarantining the threat before damage is done.

  3. Implement strong database user and password authentication for the database, and keep everyone but authorized users from accessing the database.  Do the same for your accounting application software, updating or upgrading the software if necessary to get software the has the security capability that you need.

  4. Set-up proper audit procedures so that financial records are check in a timely fashion.

  5. Get professional help from the CCS Retail Systems Support Department to evaluate both the strengths and weaknesses of your systems.

– John

Leave a Reply